Re: [integrity]: Origin confusion attacks. from Ben Toews on 2014-01-10 (public-webappsec@w3.org from January 2014)

From: Ben Toews <btoews@github.com>
Date: Fri, 10 Jan 2014 11:30:55 -0600
To: Pete Freitag <pete@foundeo.com>
Cc: Mike West <mkwst@google.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <0B551A537E1F4E59AC7D7FDB12EA442A@github.com>

It doesn’t seem like you would need to provide the nonce in style.css because the integrity hash of cat.gif is already incorporated into the integrity hash of style.css.

--  
Ben Toews


On Friday, January 10, 2014 at 11:22 AM, Pete Freitag wrote:

> On Fri, Jan 10, 2014 at 4:18 AM, Mike West <mkwst@google.com (mailto:mkwst@google.com)> wrote:
> > I think the nonce makes it clear that the script tag was added by the author, rather than maliciously injected. That should give us enough trust in the author's intent to bypass the origin check, assuming the integrity check hits the cache.  
>  
> I like the nonce idea. Is nonce currently implemented for img tags or any tags other than script, style?  
>  
> I am also wondering how this case would be handled:  
>  
> <link href="//cdn.example.com/style.css (http://cdn.example.com/style.css)" rel="stylesheet" nonce="abc" integrity="ni:///sha-512;xyz...123">  
>  
> And style.css contains:
>  
> .awesomeness {  
>   background-image: url(http://example.com/cat.gif)  
>   integrity(ni:///sha-512;3587cb776ce0e4...c838c423);  
> }
>  
> (or whatever css integrity syntax is decided)
>  
> Since the stylesheet is a static asset on the CDN it's not possible to include a nonce, can cat.gif be loaded from the integrity cache? I would think that is fine to allow for a stylesheet, but a script can load resources dynamically, some thought might need to be put into that scenario.  
>  
> > I also like Michal's approach, but I'm very worried about bloating the CSP header to the point where it outweighs the content it's protecting. Chrome has some sort of reasonable limit on header size (I have 16k in my head, but I've no idea if that's accurate)... how soon will we be hitting that? :)  
>  
> Again you would have the question I raised above to consider with this approach, would you need to whitelist the integrity hash of every image loaded by the CSS or just the css file?  
>  
> Apache's default request header limit is 8190 bytes, Tomcat has a request/response header size limit of 8192 bytes by default (tomcat 5 was 4096 bytes, but they increased it in version 6+). If a base64 encoded sha-512 hash is 43 characters that lets you fit ~185 hashes.   
>  
> -pete

Received on Friday, 10 January 2014 17:31:25 UTC